On Tue, Dec 15, 2015 at 5:01 PM, Scott Fluhrer (sfluhrer) <sfluh...@cisco.com> wrote: > Might I enquire about the cryptographical reason behind such a limit? > > > > Is this the limit on the size of a single record? GCM does have a limit > approximately there on the size of a single plaintext it can encrypt. For > TLS, it encrypts a record as a single plaintext, and so this would apply to > extremely huge records.
The issue is the bounds in Iwata-Ohashai-Minematsu's paper, which show a quadratic confidentiality loss after a total volume sent. This is an exploitable issue. > > > > Or is this a limit on the total amount of traffic that can go through a > connection over multiple records? If this is the issue, what is the > security concern that you would have if that limit is exceeded? > > > > Thank you. > > > > From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Eric Rescorla > Sent: Tuesday, December 15, 2015 4:15 PM > To: tls@ietf.org > Subject: [TLS] Data volume limits > > > > Watson kindly prepared some text that described the limits on what's safe > > for AES-GCM and restricting all algorithms with TLS 1.3 to that lower > > limit (2^{36} bytes), even though ChaCha doesn't have the same > > restriction. > > > > I wanted to get people's opinions on whether that's actually what we want > > or whether we should (as is my instinct) allow people to use ChaCha > > for longer periods. > > > > -Ekr > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
